Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Reaching definitions analysis tries to subscript an FP object leading to TypeError

See original GitHub issue

Describe the bug.

Reaching definitions analysis tries to subscript an FP object in _handle_Conversion and encounters a TypeError. Here is traceback printed in console in angr-management:

Exception while running job "Variable Recovery":
Traceback (most recent call last):
  File "/home/dnivra/angr-dev/angr-management/angrmanagement/data/instance.py", line 270, in _worker
    result = job.run(self)
  File "/home/dnivra/angr-dev/angr-management/angrmanagement/data/jobs/job.py", line 42, in run
    return self._run(inst)
  File "/home/dnivra/angr-dev/angr-management/angrmanagement/data/jobs/variable_recovery.py", line 23, in _run
    inst.project.analyses.CompleteCallingConventions(
  File "/home/dnivra/angr-dev/angr/angr/analyses/analysis.py", line 115, in __call__
    oself.__init__(*args, **kwargs)
  File "/home/dnivra/angr-dev/angr/angr/analyses/complete_calling_conventions.py", line 48, in __init__
    self._analyze()
  File "/home/dnivra/angr-dev/angr/angr/analyses/complete_calling_conventions.py", line 101, in _analyze
    cc_analysis = self.project.analyses.CallingConvention(func, cfg=self._cfg,
  File "/home/dnivra/angr-dev/angr/angr/analyses/analysis.py", line 115, in __call__
    oself.__init__(*args, **kwargs)
  File "/home/dnivra/angr-dev/angr/angr/analyses/calling_convention.py", line 81, in __init__
    self._analyze()
  File "/home/dnivra/angr-dev/angr/angr/analyses/calling_convention.py", line 113, in _analyze
    callsite_facts = self._analyze_callsites(max_analyzing_callsites=3)
  File "/home/dnivra/angr-dev/angr/angr/analyses/calling_convention.py", line 242, in _analyze_callsites
    rda = self.project.analyses.ReachingDefinitions(
  File "/home/dnivra/angr-dev/angr/angr/analyses/analysis.py", line 115, in __call__
    oself.__init__(*args, **kwargs)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/reaching_definitions.py", line 162, in __init__
    self._analyze()
  File "/home/dnivra/angr-dev/angr/angr/analyses/forward_analysis/forward_analysis.py", line 240, in _analyze
    self._analysis_core_graph()
  File "/home/dnivra/angr-dev/angr/angr/analyses/forward_analysis/forward_analysis.py", line 259, in _analysis_core_graph
    changed, output_state = self._run_on_node(n, job_state)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/reaching_definitions.py", line 365, in _run_on_node
    state, self._visited_blocks, self._dep_graph = engine.process(
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/engine_vex.py", line 62, in process
    self._process(
  File "/home/dnivra/angr-dev/angr/angr/engines/light/engine.py", line 145, in _process
    self._process_Stmt(whitelist=whitelist)
  File "/home/dnivra/angr-dev/angr/angr/engines/light/engine.py", line 166, in _process_Stmt
    self._handle_Stmt(stmt)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/engine_vex.py", line 106, in _handle_Stmt
    super()._handle_Stmt(stmt)
  File "/home/dnivra/angr-dev/angr/angr/engines/light/engine.py", line 194, in _handle_Stmt
    getattr(self, handler)(stmt)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/engine_vex.py", line 113, in _handle_WrTmp
    data: MultiValues = self._expr(stmt.data)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/engine_vex.py", line 299, in _expr
    data = super()._expr(expr)
  File "/home/dnivra/angr-dev/angr/angr/engines/light/engine.py", line 232, in _expr
    return getattr(self, handler)(expr)
  File "/home/dnivra/angr-dev/angr/angr/engines/light/engine.py", line 294, in _handle_Unop
    return getattr(self, handler)(expr)
  File "/home/dnivra/angr-dev/angr/angr/analyses/reaching_definitions/engine_vex.py", line 464, in _handle_Conversion
    data.add(v[bits - 1:0])
TypeError: 'FP' object is not subscriptable

Environment Information.

I am running current HEAD of all repos. Including full environment information for completeness:

=============================
Date: 2022-01-08 16:19:36.532352
Running in virtual environment at /home/dnivra/.virtualenvs/angr-dev
Platform: linux-x86_64
Python version: 3.8.10 (default, Nov 26 2021, 20:14:08) 
[GCC 9.3.0]
######## angr #########
Python found it in /home/dnivra/angr-dev/angr/angr
Pip version angr 9.1.gitrolling
Git info:
        Current commit 4b04d56ace135018083d36d9083805be8146688b from branch master
        Checked out from remote origin: https://github.com/angr/angr
######## ailment #########
Python found it in /home/dnivra/angr-dev/ailment/ailment
Pip version ailment 9.1.gitrolling
Git info:
        Current commit 638496df6547662517f5f524c9bde4b53fcbd176 from branch master
        Checked out from remote origin: https://github.com/angr/ailment
######## cle #########
Python found it in /home/dnivra/angr-dev/cle/cle
Pip version cle 9.1.gitrolling
Git info:
        Current commit 7dea3e72a06c7596b9ef7b884c42cb19bca7620a from branch master
        Checked out from remote origin: https://github.com/angr/cle
######## pyvex #########
Python found it in /home/dnivra/angr-dev/pyvex/pyvex
Pip version pyvex 9.1.gitrolling
Git info:
        Current commit 91e5e27b804e3712899796b00814b2cb4f0855d8 from branch master
        Checked out from remote origin: https://github.com/angr/pyvex
######## claripy #########
Python found it in /home/dnivra/angr-dev/claripy/claripy
Pip version claripy 9.1.gitrolling
Git info:
        Current commit 4c961b4dc664706be8142fe4868f27655bc8da77 from branch master
        Checked out from remote origin: https://github.com/angr/claripy
######## archinfo #########
Python found it in /home/dnivra/angr-dev/archinfo/archinfo
Pip version archinfo 9.1.gitrolling
Git info:
        Current commit bd84450115db29bef89022e3c63c7ea84facd46e from branch master
        Checked out from remote origin: https://github.com/angr/archinfo
######## z3 #########
Python found it in /home/dnivra/.virtualenvs/angr-dev/lib/python3.8/site-packages/z3
Pip version z3-solver 4.8.14.0
Couldn't find git info
######## unicorn #########
Python found it in /home/dnivra/.virtualenvs/angr-dev/lib/python3.8/site-packages/unicorn
Pip version unicorn 1.0.2rc4
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/dnivra/angr-dev/angr/angr/state_plugins/../lib/angr_native.so', handle 27bd560 at 0x7f1eb18b3cd0>
unicorn: <CDLL '/home/dnivra/.virtualenvs/angr-dev/lib/python3.8/site-packages/unicorn/lib/libunicorn.so', handle 21689a0 at 0x7f1eb692a2b0>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7f1eb754fb50>
z3: NOT FOUND

To Reproduce.

Load CROMU_00005 into angr-management. The bug gets triggered when recovering variables.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
ltfishcommented, Jan 9, 2022

Thanks for reporting. This problem has been fixed on the wip/fp branch (with floating point support). Should be merged into angr within next week.

0reactions
github-actions[bot]commented, Oct 4, 2022

This issue has been closed due to inactivity.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Reaching definitions analysis tries to subscript an FP object leading ...
Describe the bug. Reaching definitions analysis tries to subscript an FP object in _handle_Conversion and encounters a TypeError . Here is traceback printed ......
Read more >
Reaching-Definitions Analysis - YouTube
This video introduces another example of dataflow analysis : reaching - definitions analysis. We say that the definition of a variable reaches ......
Read more >
Static Type and Value Analysis by Abstract ... - Raphaël Monat
We present a first analysis aiming at detecting type-related errors in Python programs. It does so by inferring both the nominal and structural...
Read more >
Course Script - Static analysis and all that - UiO
Too general means, one can try to describe type systems by attribute grammars ... The table shows the result of the reaching definition...
Read more >
Type Theory & Functional Programming
an expression which will lead to a type error when the program is executed. ... definition of total functions and fully-defined objects. At...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Why solutions generated by angr can not be reproduced?

Next page

Significant (3x) load time regression beginning in 9.0.10339